Hacker Breached NOAA Satellite Data from Contractor’s PC

By Aliya Sternstein

July 28, 2014

National Oceanic and Atmospheric Administration satellite data was stolen from a contractor's personal computer last year, but the agency could not investigate the incident because the employee refused to turn over the PC, according to a new inspector general report.

This is but one of the “significant security deficiencies” that pose a threat to NOAA’s critical missions, the report states.

Other weaknesses include unauthorized smartphone use on key systems and thousands of software vulnerabilities.

The July 15 report made public on Friday concentrates on information-technology security problems at NOAA's National Environmental Satellite, Data, and Information Service. NOAA is part of the Commerce Department.

During the 2013 incident, "an attacker exfiltrated data from a NESDIS system to a suspicious external IP address via the remote connection established with a personal computer," wrote Allen Crawley, Commerce's assistant IG for systems acquisition and IT security, referring to a dodgy computer address.

NOAA determined the PC likely was infected with malware, but it was prevented from examining further because "the owner of the personal computer, even though a NESDIS contractor, did not give NOAA permission to perform forensic activities on the personal computer," Crawley said.

The inspector general cited this case as an example of why it's a bad idea -- and a violation of Commerce policy -- for any personnel to access NOAA information systems using personal computers. In response to a draft report, NOAA officials noted the system in question was not a "high-impact" system.

Satellites a Potential Target for Hackers

The report, however, also focused on vulnerabilities to high-impact systems related to weather satellites, such as the Polar-orbiting Operational Environmental Satellites and Geostationary Operational Environmental Satellites.

Unauthorized smartphone and thumb drive use was recently detected on 41 percent of components in systems supporting POES; 36 percent of GOES support systems; and 48 percent of components in the Environmental Satellite Processing Center, a system that handles data received from the satellites.

Several U.S. earth observation satellites have also been probed by suspected Chinese government hackers in recent years, according to federal officials.

In 2011, the Defense Department investigated two unusual incidents a few years prior involving signals targeting a U.S. Geological Survey satellite. NASA also experienced two "suspicious events" with a Terra observational satellite in 2008. A 2011 report by the U.S.-China Economic and Security Review Commission characterized the events as successful interferences that might have been linked to the Chinese government.

Crawley said, "As it only takes one infected mobile device to spread malware and allow an attacker access to restricted systems like POES and GOES, NESDIS’ critical components are at increased risk of compromise.”

IG Also Cites Turf War, Funding Shortfall

A clash between the Air Force and NOAA over securing conjoined systems also has created hazards.

POES is interwoven with the military’s Defense Meteorological Satellite Program to the point where they are virtually one system.

"Because USAF and NOAA disputed for several years (from 2006 to 2010) who was responsible for DMSP’s security, neither organization conducted security assessments" of the military satellites, Crawley said. "POES will remain interwoven with DMSP, and DMSP’s security posture will remain deficient for some time."

Inadequate funding might prolong the security lapse further.

NOAA "has asserted that if funding is not available it will abandon any corrective actions and accept the risks of leaving the systems interwoven," he said.

The Air Force, meanwhile, doesn't expect to conduct a security posture assessment until a technology upgrade in 2016.

"There is doubt that the refresh will occur because of the USAF’s funding constraints," the report stated.

Linkages between NOAA satellite systems and less secure machines, such as those connected to the Internet, also present a threat.

POES and GOES "have interconnections with systems where the flow of information is not restricted, which could provide a cyberattacker with access to these critical assets," Crawley said.

Thousands of Vulnerabilities Unremedied

A more general issue across NOAA satellite systems are security bugs in software that have remained unfixed for more than a decade.

"POES, GOES, and ESPC have thousands of vulnerabilities, where some of the vulnerabilities in the software have been publicly disclosed for as long as 13 years," he said. "The older the vulnerability, the more likely exploits have been incorporated into common hacking toolkits.”

Overall, NOAA officials agreed with the report’s findings, but said the agency has already begun addressing the defects, the final report states.

"NOAA is committed to maintaining a cost-effective IT security program that manages risk at an acceptable level," Vice Adm. Michael Devany, NOAA deputy undersecretary for operations, wrote in a June letter, responding to the draft report. "We had already identified most of the concerns cited by the OIG in the report and have been implementing remediation efforts" that are documented in a Commerce tracking system.